(9 months, 4 weeks ago)
Commons ChamberFor information, I intend to call those who have tabled amendments before other Members.
I call Sir John Whittingdale.
You are absolutely right, Madam Deputy Speaker; I have an amendment that I would like to speak to. It might be slightly unusual for the person who was the Minister taking the Bill through Committee then to seek to amend the Bill on Report, but I am sure it is not unprecedented, and I hope my amendment is nevertheless helpful to the Government. It is certainly my intention that it should be.
I have taken the Bill through Committee, and it has already been subject to a lot of scrutiny by the Culture, Media and Sport Committee, in this House and in the other place, and with the publication of a draft Bill. I am therefore slightly surprised to see the number of Government amendments that have been tabled. Most are relatively minor and technical, and I welcome the measure that would correct the anomaly around independent national radio, requiring it to continue to broadcast on AM, even though fewer and fewer people are now accessing radio by those means. It is right to remove that anomaly.
Amendment 78 addresses local television, which was the invention of my right hon. Friend the Member for South West Surrey (Jeremy Hunt). Although it has had a somewhat chequered history, it is successful in a number of areas across the country, particularly outside London. Rightly, the Government have consulted recently on whether they believe there is a long-term future for local TV, and I am optimistic they will conclude that they would like it to continue. The Bill will ensure that those broadcasters that the Government regard as making an important contribution should continue to thrive in a different media landscape. That is the purpose of the prominence provisions, which safeguard public service broadcasters to ensure that whatever means viewer choose to access television, they can find those public service broadcasters easily. Local television is not currently included on the list of channels that should have due prominence. As we move forward into an age when more and more people rely on internet protocol television to access channels, it will become increasingly hard for them if local TV is not obviously available on IPTV sets.
I have a Sky Glass television, which is an IPTV set, and at the moment I cannot get local television on it at all. One reason for that—and the reason the Government have previously given for not including local TV on the list of channels to be given prominence—is the absence of an app to deliver local TV. When I was filling in for the Minister over the past few months I had a meeting with local TV and was told that an app will be forthcoming quite soon that will allow local television to be received by IPTV. The Government suggested in a letter to my right hon. Friend the Member for Tunbridge Wells (Greg Clark) that they see a difficulty with that, and that because there are a large number of local television channels it would be difficult to give all of them individual prominence. However, I am assured by local television that they intend to come forward with a single app, which will be available on a number of major platforms and ensure that a specifically chosen geographical location in the country will receive the specific local TV channel that is appropriate for that area. We are only talking about one app. The Under-Secretary of State for Culture, Media and Sport said in his letter that the Government will continue to monitor the situation and consider increasing the availability of local content.
As we know, media Bills do not come along every day, and this is our single opportunity to update the law covering the range of media services. It is likely that there will not be another opportunity for some considerable time. My amendment would allow Ofcom, at a future date, to recommend the inclusion of a local TV app, as and when it emerges, in the prominence regime. It would ensure that the Bill future-proofs the regime so that it can be amended in such a way. I hope the Government will consider adopting that measure. I understand it is unlikely that they will accept my amendment, but I ask the Minister whether she will continue to look at this issue and, if the Government believe it is appropriate, consider tabling an amendment to that effect in the House of Lords.
On new clause 3, regarding the abolition of section 40 of the Crime and Courts Act 2013, I was slightly surprised to learn from my right hon. Friend the Member for Camborne and Redruth (George Eustice) that the inclusion of a firm pledge to repeal section 40, which was not just in the 2017 Conservative manifesto but repeated in that of 2019, was a drafting error. It did not strike me at the time that either the initial pledge or the second one were drafting errors.
(12 months ago)
Commons ChamberI beg to move, That the clause be read a Second time.
With this it will be convenient to discuss the following:
Government new clause 48—Processing of personal data revealing political opinions.
Government new clause 7—Searches in response to data subjects’ requests.
Government new clause 8—Notices from the Information Commissioner.
Government new clause 9—Court procedure in connection with subject access requests.
Government new clause 10—Approval of a supplementary code.
Government new clause 11—Designation of a supplementary code.
Government new clause 12—List of recognised supplementary codes.
Government new clause 13—Change to conditions for approval or designation.
Government new clause 14—Revision of a recognised supplementary code.
Government new clause 15—Applications for approval and re-approval.
Government new clause 16—Fees for approval, re-approval and continued approval.
Government new clause 17—Request for withdrawal of approval.
Government new clause 18—Removal of designation.
Government new clause 19—Registration of additional services.
Government new clause 20—Supplementary notes.
Government new clause 21—Addition of services to supplementary notes.
Government new clause 22—Duty to remove services from the DVS register.
Government new clause 23—Duty to remove supplementary notes from the DVS register.
Government new clause 24—Duty to remove services from supplementary notes.
Government new clause 25—Index of defined terms for Part 2.
Government new clause 26—Powers relating to verification of identity or status.
Government new clause 27—Interface bodies.
Government new clause 28—The FCA and financial services interfaces.
Government new clause 29—The FCA and financial services interfaces: supplementary.
Government new clause 30—The FCA and financial services interfaces: penalties and levies.
Government new clause 31—Liability and damages.
Government new clause 32—Other data provision.
Government new clause 33—Duty to notify the Commissioner of personal data breach: time periods.
Government new clause 34—Power to require information for social security purposes.
Government new clause 35—Retention of information by providers of internet services in connection with death of child.
Government new clause 36—Retention of biometric data and recordable offences.
Government new clause 37—Retention of pseudonymised biometric data.
Government new clause 38—Retention of biometric data from INTERPOL.
Government new clause 39—National Underground Asset Register.
Government new clause 40—Information in relation to apparatus.
Government new clause 41—Pre-commencement consultation.
Government new clause 42—Transfer of certain functions of Secretary of State.
New clause 1—Processing of data in relation to a case-file prepared by the police service for submission to the Crown Prosecution Service for a charging decision—
“(1) The 2018 Act is amended in accordance with subsection (2).
(2) In the 2018 Act, after section 40 insert—
“40A Processing of data in relation to a case-file prepared by the police service for submission to the Crown Prosecution Service for a charging decision
(1) This section applies to a set of processing operations consisting of the preparation of a case-file by the police service for submission to the Crown Prosecution Service for a charging decision, the making of a charging decision by the Crown Prosecution Service, and the return of the case-file by the Crown Prosecution Service to the police service after a charging decision has been made.
(2) The police service is not obliged to comply with the first data protection principle except insofar as that principle requires processing to be fair, or the third data protection principle, in preparing a case-file for submission to the Crown Prosecution Service for a charging decision.
(3) The Crown Prosecution Service is not obliged to comply with the first data protection principle except insofar as that principle requires processing to be fair, or the third data protection principle, in making a charging decision on a case-file submitted for that purpose by the police service.
(4) If the Crown Prosecution Service decides that a charge will not be pursued when it makes a charging decision on a case-file submitted for that purpose by the police service it must take all steps reasonably required to destroy and delete all copies of the case-file in its possession.
(5) If the Crown Prosecution Service decides that a charge will be pursued when it makes a charging decision on a case-file submitted for that purpose by the police service it must return the case-file to the police service and take all steps reasonably required to destroy and delete all copies of the case-file in its possession.
(6) Where the Crown Prosecution Service decides that a charge will be pursued when it makes a charging decision on a case-file submitted for that purpose by the police service and returns the case-file to the police service under subsection (5), the police service must comply with the first data protection principle and the third data protection principle in relation to any subsequent processing of the data contained in the case-file.
(7) For the purposes of this section—
(a) The police service means—
(i) constabulary maintained by virtue of an enactment, or
(ii) subject to section 126 of the Criminal Justice and Public Order Act 1994 (prison staff not to be regarded as in police service), any other service whose members have the powers or privileges of a constable.
(b) The preparation of, or preparing, a case-file by the police service for submission to the Crown Prosecution Service for a charging decision includes the submission of the file.
(c) A case-file includes all information obtained by the police service for the purpose of preparing a case-file for submission to the Crown Prosecution Service for a charging decision.””
This new clause adjusts Section 40 of the Data Protection Act 2018 to exempt the police service and the Crown Prosecution Service from the first and third data protection principles contained within the 2018 Act so that they can share unredacted data with one another when making a charging decision.
New clause 2—Common standards and timeline for implementation—
“(1) Within one month of the passage of this Act, the Secretary of State must by regulations require those appointed as decision-makers to create, publish and update as required open and common standards for access to customer data and business data.
(2) Standards created by virtue of subsection (1) must be interoperable with those created as a consequence of Part 2 of the Retail Banking Market Investigation Order 2017, made by the Competition and Markets Authority.
(3) Regulations under section 66 and 68 must ensure interoperability of customer data and business data with standards created by virtue of subsection (1).
(4) Within one month of the passage of this Act, the Secretary of State must publish a list of the sectors to which regulations under section 66 and section 68 will apply within three years of the passage of the Act, and the date by which those regulations will take effect in each case.”
This new clause, which is intended to be placed in Part 3 (Customer data and business data) of the Bill, would require interoperability across all sectors of the economy in smart data standards, including the Open Banking standards already in effect, and the publication of a timeline for implementation.
New clause 3—Provision about representation of data subjects—
“(1) Section 190 of the Data Protection Act 2018 is amended as follows.
(2) In subsection (1), leave out “After the report under section 189(1) is laid before Parliament, the Secretary of State may” and insert “The Secretary of State must, within three months of the passage of the Data Protection and Digital Information Act 2024,”.”
This new clause would require the Secretary of State to exercise powers under s190 DPA2018 to allow organisations to raise data breach complaints on behalf of data subjects generally, in the absence of a particular subject who wishes to bring forward a claim about misuse of their own personal data.
New clause 4—Review of notification of changes of circumstances legislation—
“(1) The Secretary of State must commission a review of the operation of the Social Security (Notification of Changes of Circumstances) Regulations 2010.
(2) In conducting the review, the designated reviewer must—
(a) consider the current operation and effectiveness of the legislation;
(b) identify any gaps in its operation and provisions;
(c) consider and publish recommendations as to how the scope of the legislation could be expanded to include non-public sector, voluntary and private sector holders of personal data.
(3) In undertaking the review, the reviewer must consult—
(a) specialists in data sharing;
(b) people and organisations who campaign for the interests of people affected by the legislation;
(c) people and organisations who use the legislation;
(d) any other persons and organisations the review considers appropriate.
(4) The Secretary of State must lay a report of the review before each House of Parliament within six months of this Act coming into force.”
This new clause requires a review of the operation of the “Tell Us Once” programme, which seeks to provide simpler mechanisms for citizens to pass information regarding births and deaths to government, and consideration of whether the progress of “Tell Us Once” could be extended to non-public sector holders of data.
New clause 5—Definition of “biometric data”—
“Article 9 of the UK GDPR is amended by the omission, in paragraph 1, of the words “for the purpose of uniquely identifying a natural person”.”
This new clause would amend the UK General Data Protection Regulation to extend the protections currently in place for biometric data for identification to include biometric data for the purpose of classification.
New clause 43—Right to use non-digital verification services—
“(1) This section applies when an organisation—
(a) requires an individual to use a verification service, and
(b) uses a digital verification service for that purpose.
(2) The organisation—
(a) must make a non-digital alternative method of verification available to any individual required to use a verification service, and
(b) must provide information about digital and non-digital methods of verification to those individuals before verification is required.”
This new clause, which is intended for insertion into Part 2 of the Bill (Digital verification services), creates the right for data subjects to use non-digital identity verification services as an alternative to digital verification services, thereby preventing digital verification from becoming mandatory in certain settings.
New clause 44—Transfer of functions to the Investigatory Powers Commissioner’s Office—
“The functions of the Surveillance Camera Commissioner are transferred to the Investigatory Powers Commissioner.”
New clause 45—Interoperability of data and collection of comparable healthcare statistics across the UK—
“(1) The Health and Social Care Act 2012 is amended as follows.
(2) After section 250, insert the following section—
“250A Interoperability of data and collection of comparable healthcare statistics across the UK
(1) The Secretary of State must prepare and publish an information standard specifying binding data interoperability requirements which apply across the whole of the United Kingdom.
(2) An information standard prepared and published under this section—
(a) must include guidance about the implementation of the standard;
(b) may apply to any public body which exercises functions in connection with the provision of health services anywhere in the United Kingdom.
(3) A public body to which an information standard prepared and published under this section applies must have regard to the standard.
(4) The Secretary of State must report to Parliament each year on progress on the implementation of an information standard prepared in accordance with this section.
(5) For the purposes of this section—
“health services” has the same meaning as in section 250 of this Act, except that for “in England” there is substituted “anywhere in the United Kingdom”, and “the health service” in parts of the United Kingdom other than England has the meaning given by the relevant statute of that part of the United Kingdom;
“public body” has the same meaning as in section 250 of this Act.”
(3) In section 254 (Powers to direct NHS England to establish information systems), after subsection (2), insert—
“(2A) The Secretary of State must give a direction under subsection (1) directing NHS England to collect and publish information about healthcare performance and outcomes in all parts of the United Kingdom in a way which enables comparison between different parts of the United Kingdom.
(2B) Before giving a direction by virtue of subsection (2A), the Secretary of State must consult—
(a) the bodies responsible for the collection and publication of official statistics in each part of the United Kingdom,
(b) Scottish Ministers,
(c) Welsh Ministers, and
(d) Northern Ireland departments.
(2C) The Secretary of State may not give a direction by virtue of subsection (2A) unless a copy of the direction has been laid before, and approved by resolution of, both Houses of Parliament.
(2D) Scottish Ministers, Welsh Ministers and Northern Ireland departments must arrange for the information relating to the health services for which they have responsibility described in the direction given by virtue of subsection (2A) to be made available to NHS England in accordance with the direction.
(2E) For the purposes of a direction given by virtue of subsection (2A), the definition of “health and social care body” given in section 259(11) applies as if for “England” there were substituted “the United Kingdom”.””
New clause 46—Assessment of impact of Act on EU adequacy—
“(1) Within six months of the passage of this Act, the Secretary of State must carry out an assessment of the impact of the Act on EU adequacy, and lay a report of that assessment before both Houses of Parliament.
(2) The report must assess the impact on—
(a) data risk, and
(b) small and medium-sized businesses.
(3) The report must quantify the impact of the Act in financial terms.”
New clause 47—Review of the impact of the Act on anonymisation and the identifiability of data subjects—
“(1) Within six months of the passage of this Act, the Secretary of State must lay before Parliament the report of an assessment of the impact of the measures in the Act on anonymisation and the identifiability of data subjects.
(2) The report must include a comparison between the rights afforded to data subjects under this Act with those afforded to data subjects by the EU General Data Protection Regulation.”
Amendment 278, in clause 5, page 6, line 15, leave out paragraphs (b) and (c).
This amendment and Amendment 279 would remove the power for the Secretary of State to create pre-defined and pre-authorised “recognised legitimate interests”, for data processing. Instead, the current test would continue to apply in which personal data can only be processed in pursuit of a legitimate interest, as balanced with individual rights and freedoms.
Amendment 279, page 6, line 23, leave out subsections (4), (5) and (6).
See explanatory statement to Amendment 278.
Amendment 230, page 7, leave out lines 1 and 2 and insert—
“8. The Secretary of State may not make regulations under paragraph 6 unless a draft of the regulations has been laid before both Houses of Parliament for the 60-day period.
8A. The Secretary of State must consider any representations made during the 60-day period in respect of anything in the draft regulations laid under paragraph 8.
8B. If, after the end of the 60-day period, the Secretary of State wishes to proceed to make the regulations, the Secretary of State must lay before Parliament a draft of the regulations (incorporating any changes the Secretary of State considers appropriate pursuant to paragraph 8A).
8C. Draft regulations laid under paragraph 8B must, before the end of the 40-day period, have been approved by a resolution of each House of Parliament.
8D. In this Article—
“the 40-day period” means the period of 40 days beginning on the day on which the draft regulations mentioned in paragraph 8 are laid before Parliament (or, if it is not laid before each House of Parliament on the same day, the later of the days on which it is laid);
“the 60-day period” means the period of 60 days beginning on the day on which the draft regulations mentioned in paragraph 8B are laid before Parliament (or, if it is not laid before each House of Parliament on the same day, the later of the days on which it is laid).
8E. When calculating the 40-day period or the 60-day period for the purposes of paragraph 8D, ignore any period during which Parliament is dissolved or prorogued or during which both Houses are adjourned for more than 4 days.”
This amendment would make regulations made in respect of recognised legitimate interest subject to a super-affirmative Parliamentary procedure.
Amendment 11, page 7, line 12, at end insert—
““internal administrative purposes” , in relation to special category data, means the conditions set out for lawful processing in paragraph 1 of Schedule 1 of the Data Protection Act 2018.”
This amendment clarifies that the processing of special category data in employment must follow established principles for reasonable processing, as defined by paragraph 1 of Schedule 1 of the Data Protection Act 2018.
Government amendment 252.
Amendment 222, page 10, line 8, leave out clause 8.
Amendment 3, in clause 8, page 10, leave out line 31.
This amendment would mean that the resources available to the controller could not be taken into account when determining whether a request is vexatious or excessive.
Amendment 2, page 11, line 34, at end insert—
“(6A) When informing the data subject of the reasons for not taking action on the request in accordance with subsection (6), the controller must provide evidence of why the request has been treated as vexatious or excessive.”
This amendment would require the data controller to provide evidence of why a request has been considered vexatious or excessive if the controller is refusing to take action on the request.
Government amendment 17.
Amendment 223, page 15, line 22, leave out clause 10.
Amendment 224, page 18, line 7, leave out clause 12.
Amendment 236, in clause 12, page 18, line 21, at end insert—
“(c) a data subject is an identified or identifiable individual who is affected by a significant decision, irrespective of the direct presence of their personal data in the decision-making process.”
This amendment would clarify that a “data subject” includes identifiable individuals who are subject to data-based and automated decision-making, whether or not their personal data is directly present in the decision-making process.
Amendment 232, page 19, line 12, leave out “solely” and insert “predominantly”.
This amendment would mean safeguards for data subjects’ rights, freedoms and legitimate interests would have to be in place in cases where a significant decision in relation to a data subject was taken based predominantly, rather than solely, on automated processing.
Amendment 5, page 19, line 12, after “solely” insert “or partly”.
This amendment would mean that the protections provided for by the new Article 22C would apply where a decision is based either solely or partly on automated processing, not only where it is based solely on such processing.
Amendment 233, page 19, line 18, at end insert
“including the reasons for the processing.”
This amendment would require data controllers to provide the data subject with the reasons for the processing of their data in cases where a significant decision in relation to a data subject was taken based on automated processing.
Amendment 225, page 19, line 18, at end insert—
“(aa) require the controller to inform the data subject when a decision described in paragraph 1 has been taken in relation to the data subject;”.
Amendment 221, page 20, line 3, at end insert—
“7. When exercising the power to make regulations under this Article, the Secretary
of State must have regard to the following statement of principles:
Digital information principles at work
1. People should have access to a fair, inclusive and trustworthy digital environment
at work.
2. Algorithmic systems should be designed and used to achieve better outcomes:
to make work better, not worse, and not for surveillance. Workers and their
representatives should be involved in this process.
3. People should be protected from unsafe, unaccountable and ineffective
algorithmic systems at work. Impacts on individuals and groups must be assessed
in advance and monitored, with reasonable and proportionate steps taken.
4. Algorithmic systems should not harm workers’ mental or physical health, or
integrity.
5. Workers and their representatives should always know when an algorithmic
system is being used, how and why it is being used, and what impacts it may
have on them or their work.
6. Workers and their representatives should be involved in meaningful consultation
before and during use of an algorithmic system that may significantly impact
work or people.
7. Workers should have control over their own data and digital information collected
about them at work.
8. Workers and their representatives should always have an opportunity for human
contact, review and redress when an algorithmic system is used at work where
it may significantly impact work or people. This includes a right to a written
explanation when a decision is made.
9. Workers and their representatives should be able to use their data and digital
technologies for contact and association to improve work quality and conditions.
10. Workers should be supported to build the information, literacy and skills needed
to fulfil their capabilities through work transitions.”
This amendment would insert into new Article 22D of the UK GDPR a requirement for the Secretary of State to have regard to the statement of digital information principles at work when making regulations about automated decision-making.
Amendment 4, in clause 15, page 25, line 4, at end insert
“(including in the cases specified in sub-paragraphs (a) to (c) of paragraph 3 of Article 35)”.
This amendment, together with Amendment 1, would provide a definition of what constitutes “high risk processing” for the purposes of applying Articles 27A, 27B and 27C, which require data controllers to designate, and specify the duties of, a “senior responsible individual” with responsibility for such processing.
Government amendments 18 to 44.
Amendment 12, in page 32, line 7, leave out clause 17.
This amendment keeps the current requirement on police in the Data Protection Act 2018 to justify why they have accessed an individual’s personal data.
Amendment 1, in clause 18, page 32, line 18, leave out paragraph (c) and insert—
“(c) omit paragraph 2,
(ca) in paragraph 3—
(i) for “data protection” substitute “high risk processing”,
(ii) in sub-paragraph (a), for “natural persons” substitute “individuals”,
(iii) in sub-paragraph (a) for “natural person” substitute “individual” in both places where it occurs,
(cb) omit paragraphs 4 and 5,”.
This amendment would leave paragraph 3 of Article 35 of the UK GDPR in place (with amendments reflecting amendments made by the Bill elsewhere in the Article), thereby ensuring that there is a definition of “high risk processing” on the face of the Regulation.
Amendment 226, page 39, line 38, leave out clause 26.
Amendment 227, page 43, line 2, leave out clause 27.
Amendment 228, page 46, line 32, leave out clause 28.
Government amendment 45.
Amendment 235, page 57, line 29, leave out clause 34.
This amendment would leave in place the existing regime, which refers to “manifestly unfounded” or excessive requests to the Information Commissioner, rather than the proposed change to “vexatious” or excessive requests.
Government amendments 46 and 47.
Amendment 237, in clause 48, page 77, line 4, leave out “individual” and insert “person”.
This amendment and Amendments 238 to 240 are intended to enable the digital verification services covered by the Bill to include verification of organisations as well as individuals.
Amendment 238, page 77, line 5, leave out “individual” and insert “person”.
See explanatory statement to Amendment 237.
Amendment 239, page 77, line 6, leave out “individual” and insert “person”.
See explanatory statement to Amendment 237.
Amendment 240, page 77, line 7, leave out “individual” and insert “person”.
See explanatory statement to Amendment 237.
Amendment 241, page 77, line 8, at end insert (on new line)—
“and the facts which may be so ascertained, verified or confirmed may include the fact that an individual has a claimed connection with a legal person.”
This amendment would ensure that the verification services covered by the Bill will include verification that an individual has a claimed connection with a legal person.
Government amendments 48 to 50.
Amendment 280, in clause 49, page 77, line 13, at end insert—
“(2A) The DVS trust framework must include a description of how the provision of digital verification services is expected to uphold the Identity Assurance Principles.
(2B) Schedule (Identity Assurance Principles) describes each Identity Assurance Principle and its effect.”
Amendment 281, page 77, line 13, at end insert—
“(2A) The DVS trust framework must allow valid attributes to be protected by zero-knowledge proof and other decentralised technologies, without restriction upon how and by whom those proofs may be held or processed.”
Government amendments 51 to 66.
Amendment 248, in clause 52, page 79, line 7, at end insert—
“(1A) A determination under subsection (1) may specify an amount which is tiered to the size of the person and its role as specified in the DVS trust framework.”
This amendment would enable fees for application for registration in the DVS register to be determined on the basis of the size and role of the organisation applying to be registered.
Amendment 243, page 79, line 8, after “may”, insert “not”.
This amendment would provide that the fee for application for registration in the DVS register could not exceed the administrative costs of determining the application.
Government amendment 67.
Amendment 244, page 79, line 13, after “may”, insert “not”.
This amendment would provide that the fee for continued registration in the DVS register could not exceed the administrative costs of that registration.
Government amendment 68.
Amendment 245, page 79, line 21, at end insert—
“(10) The fees payable under this section must be reviewed every two years by the National Audit Office.”
This amendment would provide that the fees payable for DVS registration must be reviewed every two years by the NAO.
Government amendments 69 to 77.
Amendment 247, in clause 54, page 80, line 38, after “person”, insert “or by other parties”.
This amendment would enable others, for example independent experts, to make representations about a decision to remove a person from the DVS register, as well as the person themselves.
Amendment 246, page 81, line 7, at end insert—
“(11) The Secretary of State may not exercise the power granted by subsection (1) until the Secretary of State has consulted on proposals for how a decision to remove a person from the DVS register will be reached, including—
(a) how information will be collected from persons impacted by a decision to remove the person from the register, and from others;
(b) how complaints will be managed;
(c) how evidence will be reviewed;
(d) what the burden of proof will be on which a decision will be based.”
This amendment would provide that the power to remove a person from the DVS register could not be exercised until the Secretary of State had consulted on the detail of how a decision to remove would be reached.
Government amendments 78 to 80.
Amendment 249, in clause 62, page 86, line 17, at end insert—
“(3A) A notice under this section must give the recipient of the notice an opportunity to consult the Secretary of State on the content of the notice before providing the information required by the notice.”
This amendment would provide an option for consultation between the Secretary of State and the recipient of an information notice before the information required by the notice has to be provided.
Government amendment 81.
Amendment 242, in clause 63, page 87, line 21, leave out “may” and insert “must”.
This amendment would require the Secretary of State to make arrangements for a person to exercise the Secretary of State’s functions under this Part of the Bill, so that an independent regulator would perform the relevant functions and not the Secretary of State.
Amendment 250, in clause 64, page 87, line 34, at end insert—
“(1A) A report under subsection (1) must include a report on any arrangements made under section 63 for a third party to exercise functions under this Part.”
This amendment would require information about arrangements for a third party to exercise functions under this Part of the Bill to be included in the annual reports on the operation of the Part.
Government amendments 82 to 196.
Amendment 6, in clause 83, page 107, leave out from line 26 to the end of line 34 on page 108.
This amendment would leave out the proposed new regulation 6B of the PEC Regulations, which would enable consent to be given, or an objection to be made, to cookies automatically.
Amendment 217, page 109, line 20, leave out clause 86.
This amendment would leave out the clause which would enable the sending of direct marketing electronic mail on a “soft opt-in” basis.
Amendment 218, page 110, line 1, leave out clause 87.
This amendment would remove the clause which would enable direct marketing for the purposes of democratic engagement. See also Amendment 220.
Government amendments 253 to 255.
Amendment 219, page 111, line 6, leave out clause 88.
This amendment is consequential on Amendment 218.
Government amendments 256 to 265.
Amendment 7, in clause 89, page 114, line 12, at end insert—
“(2A) A provider of a public electronic communications service or network is not required to intercept or examine the content of any communication in order to comply with their duty under this regulation.”
This amendment would clarify that a public electronic communications service or network is not required to intercept or examine the content of any communication in order to comply with their duty to notify the Commissioner of unlawful direct marketing.
Amendment 8, page 117, line 3, at end insert—
“(5) In regulation 1—
(a) at the start, insert “(1)”;
(b) after “shall”, insert “save for regulation 26A”;
(c) at end, insert—
“(2) Regulation 26A comes into force six months after the Commissioner has published guidance under regulation 26C (Guidance in relation to regulation 26A).””
This amendment would provide for the new regulation 26A, Duty to notify Commissioner of unlawful direct marketing, not to come into force until six months after the Commissioner has published guidance in relation to that duty.
Government amendment 197.
Amendment 251, in clause 101, page 127, line 3, leave out “and deaths” and insert “, deaths and deed polls”.
This amendment would require deed poll information to be kept to the same standard as records of births and deaths.
Amendment 9, page 127, line 24, at end insert—
“(2A) After section 25, insert—
“25A Review of form in which registers are to be kept
(1) The Secretary of State must commission a review of the provisions of this Act and of related legislation, with a view to the creation of a single digital register of births and deaths.
(2) The review must consider and make recommendations on the effect of the creation of a single digital register on—
(a) fraud,
(b) data collection, and
(c) ease of registration.
(3) The Secretary of State must lay a report of the review before each House of Parliament within six months of this section coming into force.””
This amendment would insert a new section into the Births and Deaths Registration Act 1953 requiring a review of relevant legislation, with consideration of creating a single digital register for registered births and registered deaths and recommendations on the effects of such a change on reducing fraud, improving data collection and streamlining digital registration.
Government amendment 198.
Amendment 229, in clause 112, page 135, line 8, leave out subsections (2) and (3).
Amendment 10, in clause 113, page 136, line 35, leave out
“which allows or confirms the unique identification of that individual”.
This amendment would amend the definition of “biometric data” for the purpose of the oversight of law enforcement biometrics databases so as to extend the protections currently in place for biometric data for identification to include biometric data for the purpose of classification.
Government amendments 199 to 207.
Government new schedule 1—Power to require information for social security purposes.
Government new schedule 2—National Underground Asset Register: monetary penalties.
New schedule 3—Identity Assurance Principles—
“Part 1
Definitions
1 These Principles are limited to the processing of Identity Assurance Data (IdA Data) in an Identity Assurance Service (e.g. establishing and verifying identity of a Service User; conducting a transaction that uses a user identity; maintaining audit requirements in relation a transaction associated with the use of a service that needs identity verification etc.). They do not cover, for example, any data used to deliver a service, or to measure its quality.
2 In the context of the application of the Identity Assurance Principles to an Identity Assurance Service, “Identity Assurance Data” (“IdA Data”) means any recorded information that is connected with a “Service User” including—
“Audit Data.” This includes any recorded information that is connected with any log or audit associated with an Identity Assurance Service.
“General Data.” This means any other recorded information which is not personal data, audit data or relationship data, but is still connected with a “Service User”.
“Personal Data.” This takes its meaning from the Data Protection Act 2018 or subsequent legislation (e.g. any recorded information that relates to a “Service User” who is also an identified or identifiable living individual).
“Relationship Data.” This means any recorded information that describes (or infers) a relationship between a “Service User”, “Identity Provider” or “Service Provider” with another “Service User”, “Identity Provider” or “Service Provider” and includes any cookie or program whose purpose is to supply a means through which relationship data are collected.
3 Other terms used in relation to the Principles are defined as follows—
“save-line2Identity Assurance Service.” This includes relevant applications of the technology (e.g. hardware, software, database, documentation) in the possession or control of any “Service User”, “Identity Provider” or “Service Provider” that is used to facilitate identity assurance activities; it also includes any IdA Data processed by that technology or by an Identity Provider or by a Service Provider in the context of the Service; and any IdA Data processed by the underlying infrastructure for the purpose of delivering the IdA service or associated billing, management, audit and fraud prevention.
“Identity Provider.” This means the certified individual or certified organisation that provides an Identity Assurance Service (e.g. establishing an identity, verification of identity); it includes any agent of a certified Identity Provider that processes IdA data in connection with that Identity Assurance Service.
“Participant.” This means any “Identity Provider”, “Service Provider” or “Service User” in an Identity Assurance Service. A “Participant” includes any agent by definition.
“Processing.” In the context of IdA data means “collecting, using, disclosing, retaining, transmitting, copying, comparing, corroborating, correlating, aggregating, accessing” the data and includes any other operation performed on IdA data.
“Provider.” Includes both “Identity Provider” and/or “Service Provider”.
“Service Provider.” This means the certified individual or certified organisation that provides a service that uses an Identity Provider in order to verify identity of the Service User; it includes any agent of the Service Provider that processes IdA data from an Identity Assurance Service.
“Service User.” This means the person (i.e. an organisation (incorporated or not)) or an individual (dead or alive) who has established (or is establishing) an identity with an Identity Provider; it includes an agent (e.g. a solicitor, family member) who acts on behalf of a Service User with proper authority (e.g. a public guardian, or a Director of a company, or someone who possesses power of attorney). The person may be living or deceased (the identity may still need to be used once its owner is dead, for example by an executor).
“Third Party.” This means any person (i.e. any organisation or individual) who is not a “Participant” (e.g. the police or a Regulator).
Part 2
The Nine Identity Assurance Principles
Any exemptions from these Principles must be specified via the “Exceptional Circumstances Principle”. (See Principle 9).
1 User Control Principle
Statement of Principle: “I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them.”
1.1 An Identity Provider or Service Provider must ensure any collection, use or disclosure of IdA data in, or from, an Identity Assurance Service is approved by each particular Service User who is connected with the IdA data.
1.2 There should be no compulsion to use the Identity Assurance Service and Service Providers should offer alternative mechanisms to access their services. Failing to do so would undermine the consensual nature of the service.
2 Transparency Principle
Statement of Principle: “Identity assurance can only take place in ways I understand and when I am fully informed.”
2.1 Each Identity Provider or Service Provider must be able to justify to Service Users why their IdA data are processed. Ensuring transparency of activity and effective oversight through auditing and other activities inspires public trust and confidence in how their details are used.
2.2 Each Service User must be offered a clear description about the processing of IdA data in advance of any processing. Identity Providers must be transparent with users about their particular models for service provision.
2.3 The information provided includes a clear explanation of why any specific information has to be provided by the Service User (e.g. in order that a particular level of identity assurance can be obtained) and identifies any obligation on the part of the Service User (e.g. in relation to the User’s role in securing his/her own identity information).
2.4 The Service User will be able to identify which Service Provider they are using at any given time.
2.5 Any subsequent and significant change to the processing arrangements that have been previously described to a Service User requires the prior consent or approval of that Service User before it comes into effect.
2.6 All procedures, including those involved with security, should be made publicly available at the appropriate time, unless such transparency presents a security or privacy risk. For example, the standards of encryption can be identified without jeopardy to the encryption keys being used.
3 Multiplicity Principle
Statement of Principle: “I can use and choose as many different identifiers or identity providers as I want to.”
3.1 A Service User is free to use any number of identifiers that each uniquely identifies the individual or business concerned.
3.2 A Service User can use any of his identities established with an Identity Provider with any Service Provider.
3.3 A Service User shall not be obliged to use any Identity Provider or Service Provider not chosen by that Service User; however, a Service Provider can require the Service User to provide a specific level of Identity Assurance, appropriate to the Service User’s request to a Service Provider.
3.4 A Service User can choose any number of Identity Providers and where possible can choose between Service Providers in order to meet his or her diverse needs. Where a Service User chooses to register with more than one Identity Provider, Identity Providers and Service Providers must not link the Service User’s different accounts or gain information about their use of other Providers.
3.5 A Service User can terminate, suspend or change Identity Provider and where possible can choose between Service Providers at any time.
3.6 A Service Provider does not know the identity of the Identity Provider used by a Service User to verify an identity in relation to a specific service. The Service Provider knows that the Identity Provider can be trusted because the Identity Provider has been certified, as set out in GPG43 – Requirements for Secure Delivery of Online Public Services (RSDOPS).
4 Data Minimisation Principle
Statement of Principle: “My interactions only use the minimum data necessary to meet my needs.”
4.1 Identity Assurance should only be used where a need has been established and only to the appropriate minimum level of assurance.
4.2 Identity Assurance data processed by an Identity Provider or a Service Provider to facilitate a request of a Service User must be the minimum necessary in order to fulfil that request in a secure and auditable manner.
4.3 When a Service User stops using a particular Identity Provider, their data should be deleted. Data should be retained only where required for specific targeted fraud, security or other criminal investigation purposes.
5 Data Quality Principle
Statement of Principle: “My interactions only use the minimum data necessary to meet my needs.”
5.1 Service Providers should enable Service Users (or authorised persons, such as the holder of a Power of Attorney) to be able to update their own personal data, at a time at their choosing, free of charge and in a simple and easy manner.
5.2 Identity Providers and Service Providers must take account of the appropriate level of identity assurance required before allowing any updating of personal data.
6 Service User Access and Portability Principle
Statement of Principle: “I have to be provided with copies of all of my data on request; I can move/remove my data whenever I want.”
6.1 Each Identity Provider or Service Provider must allow, promptly, on request and free of charge, each Service User access to any IdA data that relates to that Service User.
6.2 It shall be unlawful to make it a condition of doing anything in relation to a Service User to request or require that Service User to request IdA data.
6.3 The Service User must be able to require an Identity Provider to transfer his personal data, to a second Identity Provider in a standard electronic format, free of charge and without impediment or delay.
7 Certification Principle
Statement of Principle: “I can have confidence in the Identity Assurance Service because all the participants have to be certified against common governance requirements.”
7.1 As a baseline control, all Identity Providers and Service Providers will be certified against a shared standard. This is one important way of building trust and confidence in the service.
7.2 As part of the certification process, Identity Providers and Service Providers are obliged to co-operate with the independent Third Party and accept their impartial determination and to ensure that contractual arrangements—
• reinforce the application of the Identity Assurance Principles
• contain a reference to the independent Third Party as a mechanism for dispute resolution.
7.3 In the context of personal data, certification procedures include the use of Privacy Impact Assessments, Security Risk Assessments, Privacy by Design concepts and, in the context of information security, a commitment to using appropriate technical measures (e.g. encryption) and ever improving security management. Wherever possible, such certification processes and security procedures reliant on technical devices should be made publicly available at the appropriate time.
7.4 All Identity Providers and Service Providers will take all reasonable steps to ensure that a Third Party cannot capture IdA data that confirms (or infers) the existence of relationship between any Participant. No relationships between parties or records should be established without the consent of the Service User.
7.5 Certification can be revoked if there is significant non-compliance with any Identity Assurance Principle.
8 Dispute Resolution Principle
Statement of Principle: “If I have a dispute, I can go to an independent Third Party for a resolution.”
8.1 A Service User who, after a reasonable time, cannot, or is unable, to resolve a complaint or problem directly with an Identity Provider or Service Provider can call upon an independent Third Party to seek resolution of the issue. This could happen for example where there is a disagreement between the Service User and the Identity Provider about the accuracy of data.
8.2 The independent Third Party can resolve the same or similar complaints affecting a group of Service Users.
8.3 The independent Third Party can co-operate with other regulators in order to resolve problems and can raise relevant issues of importance concerning the Identity Assurance Service.
8.4 An adjudication/recommendation of the independent Third Party should be published. The independent Third Party must operate transparently, but detailed case histories should only be published subject to appropriate review and consent.
8.5 There can be more than one independent Third Party.
8.6 The independent Third Party can recommend changes to standards or certification procedures or that an Identity Provider or Service Provider should lose their certification.
9 Exceptional Circumstances Principle
Statement of Principle: “Any exception has to be approved by Parliament and is subject to independent scrutiny.”
9.1 Any exemption from the application of any of the above Principles to IdA data shall only be lawful if it is linked to a statutory framework that legitimises all Identity Assurance Services, or an Identity Assurance Service in the context of a specific service. In the absence of such a legal framework then alternative measures must be taken to ensure, transparency, scrutiny and accountability for any exceptions.
9.2 Any exemption from the application of any of the above Principles that relates to the processing of personal data must also be necessary and justifiable in terms of one of the criteria in Article 8(2) of the European Convention of Human Rights: namely in the interests of national security; public safety or the economic well-being of the country; for the prevention of disorder or crime; for the protection of health or morals, or for the protection of the rights and freedoms of others.
9.3 Any subsequent processing of personal data by any Third Party who has obtained such data in exceptional circumstances (as identified by Article 8(2) above) must be the minimum necessary to achieve that (or another) exceptional circumstance.
9.4 Any exceptional circumstance involving the processing of personal data must be subject to a Privacy Impact Assessment by all relevant “data controllers” (where “data controller” takes its meaning from the Data Protection Act).
9.5 Any exemption from the application of any of the above Principles in relation to IdA data shall remain subject to the Dispute Resolution Principle.”
Amendment 220, in schedule 1, page 141, leave out from line 21 to the end of line 36 on page 144.
This amendment would remove from the new Annex 1 of the UK GDPR provisions which would enable direct marketing for the purposes of democratic engagement. See also Amendment 218.
Government amendments 266 to 277.
Government amendments 208 to 211.
Amendment 15, in schedule 5, page 154, line 2, at end insert—
“(g) the views of the Information Commission on suitability of international transfer of data to the country or organisation.”
This amendment requires the Secretary of State to seek the views of the Information Commission on whether a country or organisation has met the data protection test for international data transfer.
Amendment 14, page 154, line 25, at end insert—
“5. In relation to special category data, the Information Commissioner must assess whether the data protection test is met for data transfer to a third country or international organisation.”
This amendment requires the Information Commission to assess suitability for international transfer of special category data to a third country or international organisation.
Amendment 13, page 154, line 30, leave out “ongoing” and insert “annual”.
This amendment mandates that a country’s suitability for international transfer of data is monitored on an annual basis.
Amendment 16, in schedule 6, page 162, line 36, at end insert—
“(g) the views of the Information Commission on suitability of international transfer of data to the country or organisation.”
This amendment requires the Secretary of State to seek the views of the Information Commission on whether a country or organisation has met the data protection test for international data transfer in relation to law enforcement processing.
Government amendment 212.
Amendment 231, in schedule 13, page 202, line 33, at end insert—
“(2A) A person may not be appointed under sub-paragraph (2) unless the Science, Innovation and Technology Committee of the House of Commons has endorsed the proposed appointment.”
This amendment would ensure that non-executive members of the Information Commission may not be appointed unless the Science, Innovation and Technology Committee has endorsed the Secretary of State’s proposed appointee.
Government amendments 213 to 216.
The current one-size-fits-all, top-down approach to data protection that we inherited from the European Union has led to public confusion, which has impeded the effective use of personal data to drive growth and competition, and to support key innovations. The Bill seizes on a post-Brexit opportunity to build on our existing foundations and create an innovative, flexible and risk-based data protection regime. This bespoke model will unlock the immense possibilities of data use to improve the lives of everyone in the UK, and help make the UK the most innovative society in the world through science and technology.
I want to make it absolutely clear that the Bill will continue to maintain the highest standards of data protection that the British people rightly expect, but it will also help those who use our data to make our lives healthier, safer and more prosperous. That is because we have convened industry leaders and experts to co-design the Bill at every step of the way. We have held numerous roundtables with both industry experts in the field and campaigning groups. The outcome, I believe, is that the legislation will ensure our regulation reflects the way real people live their lives and run their businesses.
I do have a note on interface bodies, which I am happy to include for the benefit of my hon. Friend. However, he will be aware that this is a technical and complicated area. If he wants to pursue a further discussion, I would of course be happy to oblige. I can tell him that the amendments will ensure that smart data schemes can replicate and build on the open banking model by allowing the Government to require interface bodies to be set up by members of the scheme. Interface bodies will play a similar role to that of the open banking implementation entity, developing common standards on arrangements for data sharing. Learning from the lessons and successes of the open banking regime, regulations will be able to specify the responsibilities and requirements for interface bodies and ensure appropriate accountability to regulators. I hope that that goes some way to addressing the point that he makes, but I would be happy to discuss it further with him in due course.
I believe these amendments will generally improve the functioning of the Bill and address some specific concerns that I have identified. On that basis, I commend them to the House.
(2 years, 6 months ago)
Commons ChamberNo, if the hon. Gentleman will forgive me, as I am under a lot of pressure to keep this short.
The second Bill is the media Bill, which is vital for the future of public service broadcasting in this country. A lot of attention will be given to the provisions on Channel 4, which I welcome, although it is important that we debate those and discuss the model that Channel 4 should operate in future. The Bill contains other important provisions. The prominence of public service broadcasters has been argued for by ITV, Channel 4 and the BBC for many years, and it is essential if we are to protect public service broadcasters and ensure that they are visible in a world where competing channels are increasing in number almost every week.
In support of commercial public service broadcasters, I welcome the absence from the Queen’s Speech of a Bill to introduce advertising bans for HFSS—high in fat, salt or sugar—foods before 9 pm. I support the Government’s wish to reduce obesity, but I firmly believe that an advertising ban would have no effect on that and, at the same time, would massively affect commercial broadcasters.
I regret the absence from the Bill of provisions for radio prominence. This was an important part of the outcome of the digital radio and audio review. The Government accepted the recommendations from that but they seem to have dropped out of the Bill. I hope that we might try to correct that during its passage.
I look forward to the inclusion in the Bill of the repeal of section 40 of the Crime and Courts Act 2013, which is a sword of Damocles hanging over a free press allowing a future Government to impose punitive costs unless they sign up to the Government’s version of regulation. The removal of that was in the Conservative manifesto and I very much hope that we will fulfil that manifesto commitment in that Bill.
The third Bill is the digital markets and competition Bill, which, if anything, is even more important to the freedom of the press. At the moment, the press are at a disadvantage in their negotiations with the big platforms such as Facebook and Google, which take their content and decide how much, if anything, they are going to pay for it. The digital markets unit is being established to address that, but it needs to be put on a statutory basis; it needs to be underpinned by law. I therefore welcome the provision in the Queen’s Speech for a draft Bill but hope the Government will move forward to implement that legislation as soon as possible.
Finally, I turn to a Bill I again played some role in: the data Bill. One of the great opportunities from Britain taking back control of its own laws is our ability to write our own data protection laws. Of course we want to ensure that people’s privacy is protected, but at the same time the existing rules have acted as a disincentive. They are overburdensome and not properly understood by large numbers of small firms in particular. This is a real opportunity to have a modern data protection regime which others across the world will admire and follow.
On that basis, I am delighted to support the Queen’s Speech.
I call SNP spokesperson Carol Monaghan.